Reference: user roles¶
Roles define what users can do in an account and have two levels: account and organization. Account-level roles grant access to the full account, while organization-level roles only grant access to organizations.
Assigning roles
Use a least privilege approach when assigning roles. Grant admin-level roles to users who will manage an account or an organization. Grant requestor or auditor roles to everyone else. For security, use the the Service Requestor role with the Zero Touch PKI API.
| Role | Description |
|---|---|
| Account Admin | Account-level role that manages daily operations, including user and organization management, reporting, and account settings. For account security, create more than one Account Admin. |
| Account Auditor | Account-level role with read-only access to certificates, logs, and configuration details to monitor compliance. |
| Organization Admin | Organization-level role that manages users, generates reports, and approves certificate requests. |
| Organization Auditor | Organization-level role with read-only access to certificates, logs, and configuration details. |
| Requestor | Organization-level role with least-privilege access for manual certificate requests. Add certificate policies to require request approval. |
| Service Requestor | Organization-level service account role for the Zero Touch PKI API. No access to the user interface. |